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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 {Public Law 107-296) by amendment to the Inspector General 
Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents the results of the U.S. Coast Guard's fiscal year 2008 Mission Action 
Plans audit. We contracted with the independent public accounting firm KPMG LLP (KPMG) to 
perform the audit. The contract required that KPMG perform its audit according to generally 
accepted government auditing standards. KPMG is responsible for the attached independent 
auditor's report and the conclusions expressed in it. 

The recommendations herein have been discussed in draft with those responsible for implementation. 
It is our hope that this report will result in more effective, efficient, and economical operations. We 
express our appreciation to all of those who contributed to the preparation of this report. 
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This report presents the results of our work conducted to address the performance audit objectives relative 
to the Department of Homeland Security's (DHS or the Department) Mission Action Plans (MAPs) 
developed to address the internal control deficiencies at the U.S. Coast Guard (USCG). These 
deficiencies were identified by management and/or reported in the KPMG LLP (KPMG) Independent 
Auditors' Report included in the Department's fiscal year 2007 Annual Financial Report (FY 2007 
Independent Auditors' Report). 

This performance audit is the second in a series of four performance audits that the Department's Office 
of Inspector General (OIG) has engaged us to perform related to the Department's fiscal year 2008 MAPs 
for use in developing the Department's Internal Controls Over Financial Reporting Playbook (ICOFR 
Playbook). This performance audit was designed to meet the objectives identified in the Objectives, 
Scope, and Methodology section of this report. Our audit procedures were performed using draft MAPs 
provided to us between November 30, 2007 (FBwT and Entity Level Controls); and December 31, 2007 
(IT integration). Interviews with DHS and USCG management and other testwork, was performed at 
various times through February 11, 2008, and our results reported herein are as of February 22, 2008. 

We conducted this performance audit in accordance with generally accepted government auditing 
standards (GAS). Those standards require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on 
our audit objectives. 

The performance audit did not constitute an audit of financial statements in accordance with GAS. 
KPMG was not engaged to, and did not, render an opinion on the Department's or USCG's internal 
controls over financial reporting or over financial management systems (for purposes of Office of 
Management and Budget Circular No. A-127, Financial Management Systems, July 23, 1993, as revised). 
KPMG cautions that projecting the results of our evaluation to future periods is subject to the risks that 
controls may become inadequate because of changes in conditions or because compliance with controls 
may deteriorate. 
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EXECUTIVE SUMMARY 



The Department of Homeland Security (DHS or the Department) has identified weaknesses in internal 
control over financial reporting through its annual assessment conducted pursuant to Office of 
Management and Budget (OMB) Circular No. A- 123, Management 's Responsibility for Internal Control, 
and compliance with the Federal Managers' Financial Integrity Act (FMFIA). Some deficiencies are 
material weaknesses identified by DHS' external financial statement auditor. Beginning in 2006, the 
Department launched a comprehensive corrective action plan to remediate known internal control 
deficiencies. The plan is documented in the Internal Controls Over Financial Reporting Playbook 
(ICOFR Playbook). The Mission Action Plan (MAP) is a key input to the ICOFR Playbook that 
documents the remediation actions planned for each control deficiency at the DHS component level. The 
MAP provides specific actions, timeframes, key milestones, assignment of responsibility, and the timing 
of corrective action validation. 

The objective of this performance audit was to evaluate and report on the status of the detailed MAPs 
prepared by the United States Coast Guard (USCG) to correct internal control deficiencies over financial 
reporting. We conducted our audit in accordance with the standards applicable to such audits contained 
in the Government Auditing Standards, issued by the Comptroller General of the United States. Our audit 
was performed using specific criteria, to assess the process used by the USCG, and to evaluate the MAPs 
submitted by USCG to the DHS Chief Financial Officer to be included in the 2008 ICOFR Playbook. 

The evaluation criteria were developed from a variety of sources including technical guidance published 
by OMB, the Government Accountability Office, and applicable laws and regulations. We also 
considered DHS' policies and guidance, and input from the Office of Inspector General when designing 
evaluation criteria. Our evaluation criteria are: 

1. Identification (of the root cause) - Identification of the appropriate underlying problem or root 
cause of the internal control deficiency condition(s). 

2. Development (of the MAP) - Clear action steps that address the root cause, with attainable and 
measurable milestones at an appropriate level of detail. 

3. Accountability (for execution of the MAP) - The individual MAP owner is held responsible for 
its successful implementation, ensuring that milestones are effectively and efficiently achieved 
and that the validation phase is completed. 

4. Verification and validation — The MAP includes written procedures to verify successful 
implementation of the MAP, a means to track progress throughout the MAP lifecycle, and 
reporting results when complete. 

We noted that the USCG has prepared MAPs that address the control deficiencies over Fund Balance with 
Treasury (FBwT); Entity-Level Controls; and Information Technology (IT) Integration. However, we also 
noted areas where the MAPs could be improved. Specifically, we noted that a more thorough analysis 
should be performed to identify the underlying problem that created the control deficiencies. The root 
cause analysis should include consideration of the relevant detailed processes, human resources, and IT 
systems, The analysis should be expanded to consider interdependencies with other processes, and 
control deficiencies, and corrective actions should be cross-referenced with management assertions at the 
financial statement level to ensure that remediation is most effective. 

In some cases, the MAPs did not include specific corrective actions, with incremental milestones that are 
attainable, measurable, and verifiable, over a realistic timeframe. The MAPs lacked an appropriate level 
of detail to enable independent analysis of the effectiveness of the MAPs in remediating root causes and 
providing users with insight on the period status of the MAP implementation. 
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The USCG lacks a comprehensive plan for verification and validation of MAP results that can be used to 
monitor and report results. Further, the verification and validation procedures that are included in the 
MAPs are not clearly linked to the Department's OMB Circular A- 123 initiatives currently underway. 
We recommended that the USCG revise its MAPs to address these concerns. We are also recommending 
that the USCG develop an "end state" model for each defined process, including taking any future 
Department system baseline and support for financial reporting assertions, laws & regulations, and 
accounting standards into consideration. They should then compare the current processes with the 
identified control and process deficiencies and root causes to the "end state" model to develop specific, 
actionable, and measurable project plan steps linked to supporting the financial reporting assertions and 
complying with laws and regulations and accounting standards. 
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BACKGROUND 



The Department of Homeland Security (DHS or the Department) and the United States Coast Guard 
(USCG) recognize that deficiencies in internal control over financial reporting exist. The internal control 
deficiencies are reported by DHS management in its annual Secretary's Assurance Statements, issued 
pursuant to Office of Management and Budget (OMB) Circular No. A- 123, Management's Responsibility 
for Internal Control. The Secretary's Assurance Statement and the findings of the external auditor are 
reported in Department's fiscal year 2007 Annual Financial Report (AFR). The conditions causing the 
control weaknesses are diverse and complex. Many conditions are systemic, inherited with legacy 
financial processes and IT systems at the time of the Department's formation in 2003. The evolution of 
the Department's mission, programs, component restructuring, and other infrastructure changes has made 
remediation of these control weaknesses very challenging. To meet this challenge, the Department's 
Secretary, Chief Financial Officer and financial management in the DHS components have adopted a 
comprehensive strategy to implement corrective actions beginning in fiscal year (FY) 2007 and 
continuing in FY 2008. 

The DHS Office of the Chief Financial Officer (OCFO), Internal Control Program Management Office 
(ICPMO) is primarily responsible for the development and implementation of the Department's strategy 
to implement corrective action plans. The ICPMO has documented its strategy and other related plans to 
remediate identified internal control deficiencies in the Internal Controls Over Financial Reporting 
Playhook (ICOFR Playbook). 

In 2006, the Department issued Management Directive 1030, Corrective Action Plans, and the 
Department enhanced its existing guidance by issuing the Mission Action Plan Guide, Financial 
Management Focus Areas Fiscal Year 2008 (MAP Guide). In accordance with the MAP Guide, the 
Department and the components developed Mission Action Plans (MAP) that describes the corrective 
actions to be implemented. The Department continued to utilize Electronic Program Management Office 
(ePMQ), a Web-based software application, to manage the collection and reporting of MAP information. 

The MAP Guide is applicable to all Department components, including USCG, and outlines the policies 
and procedures necessary to develop fiscal year 2008 Department MAPs. All components were required 
to submit MAPs, or MAP updates, for any new or existing internal control deficiencies over financial 
reporting, identified by management or the external auditors, for input into to the fiscal year 2008 ICOFR 
Playbook. 

To comply with Management Directive 1030, and the MAP Guide, the USCG adopted the Financial 
Strategy for Transformation and Audit Readiness (FSTAR) initiative. With the support of the 
Department, the USCG / FSTAR prepared three detailed MAPs for fiscal year 2008, related to the internal 
control deficiencies over FBwT; Entity-Level Controls; and IT Integration reported as or contributing to 
material weaknesses in the 2007 Independent Auditors' Report, which are summarized below: 

• Financial Management and Entity Level Controls - USCG has not fully implemented an effective 
financial management organizational structure. It has significant weaknesses in financial 
management oversight that hindered its ability to prepare accurate, complete, and timely financial 
information. 

• Fund Balance with Treasury - USCG did not have effective controls or supporting documentation 
that validated the accuracy of all of its FBwT balances, reconciliations, and clearing of suspense 
items. It did not have an effective process for accounting for suspense account transactions 
related to FBwT. The USCG was unable to provide validated military and civilian payroll data to 
support payroll transactions processed through the USCG's FBwT. 
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• Financial Reporting; IT Integration - USCG's financial reporting material weaknesses include 
control deficiencies related to IT Integration. The USCG has not developed and implemented an 
effective general ledger system. Its financial and mixed IT systems are not sufficiently integrated 
and are significantly noncompliant with the requirements of the Federal Financial Management 
Improvement Act. 

Conditions existing at the USCG contributed to all Department material weaknesses in internal control 
over financial reporting, reported in FY2007 (seven in total). However, to focus its attention and 
resources, the USCG has limited its MAPs to the three weaknesses described above. MAPs to correct the 
remaining four material weaknesses, e.g., IT systems security, capital assets, liabilities, budgetary 
accounting, and other conditions affecting financial reporting, will be developed by USCG's Financial 
Strategy for Transformation and Audit Readiness (FSTAR) later in FY2008 or beyond. 

OBJECTIVE, SCOPE, AND METHODOLOGY 

Objectives 

The objective of this performance audit was to evaluate and report on the status of detailed MAPs 
prepared by USCG to correct internal control deficiencies over financial reporting. Our evaluation was 
performed using specific criteria, described in the Methodology section below, to assess the process used 
to develop and document USCG's FY 2008 MAPs, We did not evaluate the outcome of the MAP 
process, or any corrective actions taken by management during our audit, and our findings should not be 
used to project ultimate results from the MAP implementation. Recommendations are provided to help 
address findings identified during our performance audit. 

Scope 

The scope of this performance audit includes USCG's FY 2008 MAPs developed to address the FBwT; 
Entity-Level Control; and IT Integration control weaknesses at the USCG as reported in the Secretary's 
FY 2007 Assurance Statement, and in the FY 2007 DHS Independent Auditors' Report. The MAPs 
subjected to our evaluation were provided by the OCFO, on behalf of the USCG, between November 30, 

2007 (FBwT and Entity Level Controls); and December 31, 2007 (IT integration). The scope of this 
performance audit did not include procedures on any of the MAPs associated with other control 
deficiencies existing at USCG as reported in the FY 2007 Independent Auditors' Report. Our audit was 
performed between January 4, 2008 and February 11, 2008, and our results reported herein are as of 
February 22, 2008. 

Methodology 

We conducted this performance audit in accordance with the standards applicable to such audits contained 
in the Government Auditing Standards, issued by the Comptroller General of the United States. Our 
methodology consisted of the following four-phased approach: 

Phase I - Project Initiation and Planning - We attended meetings with the Department's Office of 
Inspector General (OIG), OCFO, and USCG to review the performance audit objectives and scope, 
describe our audit approach, communicate data requests, and gain an understanding of the status of USCG 

2008 MAPs. 

Phase II - Data Gathering - We performed interviews with accounting and finance management and 
staff at USCG and OCFO. Through these interviews, we gained an understanding of the process used to 
develop the MAPs, including key inputs and data used, assumptions made, and reasons for conclusions 
reached. The interviews focused on the analysis performed by USCG to identify the underlying problems 
creating the internal control weakness (root cause), the planned corrective actions, the critical milestones 
chosen for measurement, and the methods used to monitor and validate progress in meeting the 
milestones. We discussed USCG's resource allocation strategy employed in the development and 
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eventual implementation of the MAPs, including the utilization of contractors to supplement staff as 
needed and the use of specialists, if necessary. We conducted meetings with the Department's OIG to 
identify and agree to the criteria used to evaluate the status of the MAPs (as defined below). 

We performed reviews of key documents and supporting information provided to us. Our documentation 
reviews included: 

• The three USCG MAPs (i.e., the MAP Detail and Summary Reports) that were included within 
our scope, and any underlying supporting documentation provided by USGG. 

• The Notice of Findings and Recommendations (NFRs) issued during the FY 2007 financial 
statement audit by the external auditors that supported the internal control findings reported in the 
FY 2007 Independent Auditors' Report. 

• Information provided by USCG management regarding the allocation of resources related to all 
MAPs, including the utilization of contractors. 

• The Annual Component Assurance statements provided pursuant to the requirements of OMB 
Circular No. A-123. 

• The ICOFR Playbook, MD 1030, the MAP Guide, draft USCG FSTAR Standard Operating 
Procedures (SOPs), and existing internal control monitoring guidance (e.g., OMB Circular 
No. A-123). 

Phase III - Analysis Using Established Criteria - Our evaluation criteria were developed from a variety 
of sources including technical guidance published by OMB (e.g., Circular No. A-123) and the 
Government Accountability Office (e.g., Standards for Internal Control in the Federal Government), and 
applicable Federal laws and regulations (e.g., Federal Managers ' Financial Integrity Act of 1982). We 
also considered DHS' policies and guidance, such as the MAP Guide and the ICOFR Playbook, and input 
from the OIG. Our evaluation criteria were: 

1. Identification (of the root cause) — Identification of the appropriate underlying root cause that is 
causing the internal control deficiency. A comprehensive analysis typically includes a full 
assessment of the business processes, data flows, and information systems that drive the 
transactions/activities associated with the accounting process where the internal control 
deficiencies are believed to exist. A thorough root cause analysis should include: 

a) Research to discover why, when, and how the condition occurred - what went wrong and 
why? 

b) Investigation to determine if the problem is procedural or human resources or both 
(processes, and /or people). 

c) An evaluation to determine if IT system functionality is contributing to the problem, and if IT 
system modifications could be part of the remediation. 

d) An evaluation of internal controls, including the existence of compensating controls that may 
mitigate the deficiencies. 

2. Development (of the MAP) - The MAP includes action steps that address the root cause, and 
attainable and measurable milestones at an appropriate level of detail. Milestones should enable 
independent analysis of a MAP's effectiveness in remediating root causes, and provide MAP 
users with insight on the status of the MAP's implementation. For example, they enable a user to 
determine if the appropriate level of resources to execute a milestone is available and identify 
potential gaps in milestones (e.g. a contractor may need to be hired before a specific milestone 
can be achieved). 

3. Accountability (for execution of the MAP) - Accountability for the MAP is clearly identified and 
assigned. The individual MAP owner is responsible for its successful implementation, ensuring 
that milestones are achieved, and validation of results. 

4. Verification and Validation - The MAP includes written procedures that verify successful 
implementation of the MAP, provide a means to track progress throughout the MAP lifecycle, 
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and require reporting results when complete. These activities should include documentation 
reviews, work observations, and performance testing that is maintained for internal OMB Circular 
No. A- 123 review and external audit. 

Phase IV - Findings and Recommendations - After conducting our Phase III procedures and applying the 
evaluation criteria to the MAPs, we formulated our findings and recommendations. The findings 
represent areas for potential improvement that could negatively affect USCG's remediation of the control 
deficiencies if the MAP is performed as designed. 

FINDINGS AND RECOMMENDATIONS 

The findings and recommendations described below resulted from procedures we performed on the MAP 
documentation provided on January 4, 2008 and do not reflect any subsequent enhancements and 
changes made to the documentation. We have not performed testwork over the nature and extent of any 
modifications made subsequent to our review and the findings and recommendations detailed below are 
not reflective of any changes. 

Findings 

We categorized our findings by evaluation criteria. 
Identification 

Our observations and comments related to the identification criteria of the US CG MAPs are consistent 
across each of three MAPs -FBwT, Entity^level controls, and IT Integration. We noted that: 

• The root causes identified were often generally defined, e.g., "Coast Guard has not designed a 
comprehensive, integrated accounting IT system to comply with the FFMIA system requirements 
and the USSGL at the transaction level." We also noted that the root cause was often listed as a 
condition or symptom of the problem, e.g., "Personnel Service Center (PSC) was not informed of 
the recurring reclassification entries that the finance center (FINCEN) manually processes due to 
errors in the interface file." 

• Evidence of an in-depth root cause analysis, including supporting information, and personnel 
consulted, was not created or maintained, preventing supervisory review, and independent 
corroboration of conclusions. USCG personnel indicated that root causes were determined by 
review of the Notice of Findings and Recommendations issued during the DIIS financial 
statement audits, the documentation developed and control gaps identified during the A- 123 
assessment project, and consensus reached through discussions between key USCG process 
owners. Consequently, we were unable to substantiate that the USCG performed an 
investigation to identify the underlying problem, and conducted their assessment of the business 
processes, data flows, and information systems that drive the transactions/activities associated 
with the control deficiencies and material weaknesses, 

• Critical interdependencies are not identified. For example, to successfully implement the FBwT 
MAP, and remediate the FBwT material weakness, it may be necessary, for USCG to meet 
milestones and correct underlying conditions identified in other MAPs related to human resources 
arid payroll, payment management, budgetary resource management, entity-level controls and/or 
the IT processes. However, the FBwT MAP does not illustrate these potential interdependent 
milestones or indicate how they may affect the successful implementation of the FBwT V1AP. 

• The conditions identified in the issue description sections of the MAPs do not clearly link or 
cross-reference to audit findings and the material weakness conditions identified in the 
Independent Auditors' Report, making it difficult to determine if all of the conditions supporting 
control weaknesses have been considered and are addressed in the MAPs. In certain instances, 



7 



the conditions described in the "Issue Description" section of the three MAPs do not clearly 
articulate the conditions and the severity of such conditions and how they impact the ability of 
management to support its financial reporting assertions. If the issues are not accurately 
described, USCG risks not being able to conduct comprehensive root cause analysis and develop 
effective MAPs. 

Development 

Our observations and comments related to the development criteria of the USCG MAPs are consistent 
across each of three MAPs -FBwT, Entity-level controls, and IT Integration. We noted that: 

• The MAPs lack specificity - The MAPs include general steps such as, "conduct analysis of IP AC 
and other significant classes of transactions," "Develop and promulgate operational objectives for 
internal control," "develop and implement standardized payment confirmation process," and 
"Implement monitoring/enforcement based on process/procedures defined," which are broad 
objectives, and usually not measurable. 

• The current MAP milestones are not linked directly to the financial statement assertions affected 
by the control weaknesses. As a result, the successful completion of the milestones may not fully 
address the appropriate financial assertions and achieve the desired result of correcting the 
existing internal control deficiencies. 

• Some MAPs defer the development of the detailed MAP project plan and milestones. For 
example, the Entity-level control MAP includes a task to "develop detailed project plan & 
resourcing assessment to conduct workforce analysis on financial management organizational and 
internal control strategy, structure, and processes" by September 1, 2008. 

Accountability 

Our observations and comments related to the accountability criteria of the USCG MAPs are consistent 
across each of three MAPs - FBwT, Entity-level controls, and IT Integration. The USCG properly 
identifies a responsible party for the MAPs, and the USCG designee in-charge of each MAP. As such, 
accountability for the MAP implementation is specified. 

The USCG is currently evaluating its human and other resource necessary to implement the MAPs. The 
MAPs and the draft FSTAR SOP state, "no funding will be applied to a task without a vetted, approved 
project plan" however, project plans have not been developed or completed. In accordance with its 
policy, the MAP will need to be approved before funding is provided and resources acquired. Delays in 
finalization of the plan and acquisition of resources could affect the timely completion of planned actions 
in !• Y2008. 

Verification and Validation 

Our observations and comments related to the verification and validation criteria of the USCG MAPs are 
consistent across each of three MAPs - FBwT, Entity-level controls, and IT Integration. We noted that: 

• Some key milestones in the MAPs contain steps that are not measurable or designed with 
incremental objectives. USCG has identified various critical milestones within each of the three 
MAPs, however they are often defined without a degree of specificity that would allow 
measurement. For example, we noted many milestones are achieved through confirmation of 
progress from the task owner. Confirmation of milestone completion is not a feasible 
measurement method, as achievement of a critical milestone should be measured using concrete 
evidence demonstrating that the task is complete. The difficulty in implementing a feasible 
measurement method for all critical milestones could stem from the lack of detailed, actionable 
steps. 
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• Many milestones are based on passage of time. Per the MAP Guide, "In the event that a MAP has 
a gap between any milestones (including the initial and final milestones) greater than or equal to 2 
months, the Component must include interim milestones for that timeframe to ensure quarterly 
progress and results can be determined." 

• While a contractor has drafted and provided to USCG for review, a set of operating procedures to 
monitor the progress of the MAP, the USCG has not adopted a comprehensive verification and 
validation plan to monitor the progress of the MAP. In addition, USCG has not implemented a 
mechanism to monitor its progress in meeting MAP milestones. 

Recommendations 

We recommend that the USCG perform the following to address our findings. 

1. Review each MAP, complete a thorough root cause analysis. When finished, the root cause 
analysis should: 

a. Identify the problem causing the internal control weakness, including how it occurred, 
when, and why. Current policies and procedures, human resources, and how IT systems 
affect the conditions should be considered; 

b. Identify and show consideration of all significant interdependencies, with overlapping 
processes and other MAP's. Perform process/sub-process analysis at a detailed activity 
or transaction level to identify all control and process deficiencies. This analysis should 
include a walkthrough or "test drive" of the activity/process flow with actual data or 
transactions. This facilitate enable the USCG's ability to develop comprehensive MAPs 
that include potential interrelationships between processes or other MAPs; 

c. Be prioritized for correction, to minimize duplication of effort where corrective actions 
overlap (i.e., correction of IT system posting logic errors may resolve multiple issues, or 
mitigate the need for process changes); and 

d. Be documented with sufficient level of detail to provide an adequate understanding of 
control and process deficiencies, how the deficiencies affect the financial reporting 
assertions, laws and regulations, and accounting standards, and enable a MAP user to 
prioritize the conditions based on their severity. Maintain documentation supporting the 
analysis for management review, OMB Circular A- 123 cross-reference and external 
auditor review. 

2. Modify the MAPs based on the analysis performed in #1 above. Each MAP should include 
specific corrective actions, avoiding general steps. Link or cross-reference the conditions 
identified in the issue description sections of the USCG MAPs to the material weakness 
conditions identified in the FY 2007 Independent Auditors' Report, to ensure reconcile the 
conditions identified in the FY 2007 Independent Auditors' Report to actions in the MAPs. 
Matrix the MAPs to the specific financial statement assertions that are affected by the control 
weaknesses being identified to ensure coverage of all key management assertions. 

3. Each MAP should include incremental milestones that are attainable, measurable, and verifiable, 
at an appropriate level of detail to enable independent analysis of a MAP's effectiveness in 
remediating root causes and provide MAP users with insight on the status of the MAP's 
implementation. Ensure that MAP milestones and implementation schedules are realistic given 
USCG funding constraints. Avoid using milestones that are met simply by passage of time. 

4. Develop a comprehensive plan for verification and validation of MAP results that can be used to 
monitor and report results. Link the verification procedures to the OMB Circular A- 123 
initiatives of the Department. Ensure that the objective of the verification and validation process 
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as described in the draft FSTAR SOP is to determine whether the remediation action was 
successful in supporting the relevant financial reporting assertions and/or compliance with laws 
and regulations and accounting standards. 

5. Include the development of an "end state" model for each defined process, including taking future 
Department systems baseline and support for financial reporting assertions, laws and regulations, 
and accounting standards into consideration. The end state model should account for the entire 
business process or life cycle from initiation through to completion (e.g. often the recording and 
reporting activities in a transactional process). Then compare the current processes with the 
identified control and process deficiencies and root causes to the end state model to develop 
specific, actionable and measurable project plan steps linked to supporting the financial reporting 
assertions and complying with laws and regulations and accounting standards. 

6. Ensure that the USCG MAP owners have the support necessary to successfully implement the 
MAPs. 

MANAGEMENT RESPONSE TO OUR REPORT 

Management has prepared an official response presented as a separate attachment to this report. 
In summary, management agreed with our findings and its comments were responsive to our 
recommendations. We did not audit management's response and, accordingly, we express no 
opinion on it. 
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KEY DOCUMENTS AND DEFINITIONS 



This section provides key definitions and documents for the purposes of this report. 

The Federal Managers ' Financial Integrity Act (FMFIA") requires that Executive Branch Federal agencies 
establish and maintain an effective internal control environment according to the standards prescribed by 
the Comptroller General and specified in the Government Accountability Office's (GAO) Standards for 
Internal Control in the Federal Government, In addition, it requires that the heads of agencies to 
annually evaluate and report on the effectiveness of the internal control and financial management 
systems. 

GAO's Standards for Internal Control in the Federal Government (Standards') defines internal control as 
an integral component of an organization's management that provides reasonable assurance of: 
effectiveness and efficiency of operations, reliability of financial reporting, and compliance with 
applicable laws and regulations. 

The Department of Homeland Security Financial Accountability Act (the DHS FAA) designates the 
Department's Chief Financial Officer (CFO), under the authority of the Secretary, as the party responsible 
for the design and implementation of Department-wide internal controls. Furthermore, the DHS FAA 
requires that a management's assertion and an audit opinion of the internal controls over financial 
reporting be included in the Department's annual Performance and Accountability Report. 

Office of Management and Budget TOMB") Circular No. A-123. Management's Responsibility for 
Internal Control, provides guidance on internal controls and requires agencies and Federal managers to 
1) develop and implement management controls; 2) assess the adequacy of management controls; 
3) identify needed improvements; 4) take corresponding corrective action; and 5) report annually on 
management controls. The successful implementation of these requirements facilitates compliance with 
both FMFIA and the DHS FAA. 

Office of Management and Budget (QMS') Circular No. A-127. Financial Management Systems. 
prescribes policies and standards for executive departments and agencies to follow in developing, 
operating-evaluating, and reporting on financial management systems. The successful implementation 
of these requirements facilitates compliance with both FMFIA and the DHS FAA. 

Internal Control Deficiencies - A control deficiency exists when the design or operation of a control 
does not allow management or employees, in the normal course of performing their assigned functions, 
to prevent or detect misstatements on a timely basis. A significant deficiency is a control deficiency, or 
combination of control deficiencies, that adversely affects DHS' ability to initiate, authorize, record, 
process, or report financial data reliably in accordance with U.S. generally accepted accounting 
principles such that there is more than a remote likelihood that a misstatement of DHS' financial 
statements that is more than inconsequential will not be prevented or detected by DHS' internal control 
over financial reporting. A material weakness is a significant deficiency, or combination of significant 
deficiencies, that results in more than a remote likelihood that a material misstatement of the financial 
statements will not be prevented or detected by DHS' internal control. 

Management Directive (MP) 1030. Corrective Action Plans, establishes the "Department's vision and 
direction on the roles and responsibilities for developing, maintaining, reporting, and monitoring MAPs 
specific to the DHS Financial Accountability Act, FMFIA, and related OMB guidance." In addition to the 
roles and responsibilities, MD 1030 outlines the policies and procedures related to the MAP process. The 
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organizational structure detailed in MD 1030 encompasses employees at both the component and 
department levels. ' 

The Internal Controls Over Financial Reporting (ICOFR) I'lavbook (ICOFR Playbook) was developed 
by the OCFO, Internal Control Program Management Office, to assist the Department in meeting the 
financial accountability requirements outlined in the DHS FAA. The ICOFR Playbook outlines the 
Department's "strategy and process to resolve material weaknesses and build management assurances." 
On an annual basis, the ICOFR Playbook is updated by the OCFO to enhance its exiting guidance, as 
necessary, and establish milestones, which will be monitored by the OCFO throughout the year. A 
component of the ICOFR Playbook is MAPs developed by the Department and its components to correct 
internal control deficiencies. 

The Mission Action Plan Guide, Financial Management Focus Areas Fiscal Year 2008 ("MAP Guide) 
outlines the policies and procedures to be used to develop MAPs throughout DHS, pursuant to the roles 
and responsibilities established by the DHS Management Directive (MD) 1030, Corrective Action Plans. 
The MAP Guide applies to all Department Components and Offices (e.g., OFM) where a control 
deficiency has been identified. Note non-confofmances related to the Federal Information Security 
Management Act (FISMA), are under the purview of the Department's Chief Information Security 
Officer 's Plan of 'Action and Milestones (POA&M) 'Process Guide. 

Electronic Program Management Office (ePMO) is a Web-based software application the OCFO 
deployed to manage the collection and reporting of MAP information. 

Mission Action Plans (MAPs). as defined in the MAP Guide, are documents prepared to facilitate the 
remediation of internal control deficiencies identified by management or by external parties. MAP 
documentation, as described in detail in the MAP Guide, includes a MAP Summary Report and a MAP 
Detailed Report that are required to be submitted to the OCFO through ePMO. Below are brief 
descriptions of the MAP Summary and MAP Detailed Reports, based on the ePMO MAP Reports Quick 
Guide contained in the MAP Guide: 

• The MAP Summary Report contains sections to describe the issue (e.g. internal control deficiency 
conditions), results of the root cause analysis performed, relevant financial statement assertions 
affected by the issue, key strategies and performance measures, resources required, an analysis of 
the risks and impediments as seen by management, verification and validation methods, and the 
critical milestones to be achieved. 

• The MAP Detailed Report provides additional data on the milestones, not only on those identified 
as critical but also those sub-milestones under a critical milestone. For each milestone (critical or 
sub), the following data is reflected: due date, percentage of completion, status (e.g., Not Started, 
Work in Progress and Completed), and the responsible and assigned parties. 

The Department's Annual Financial Report (DHS AFR) was issued on November 15, 2007 and consists 
of the Secretary's Message, Management's Discussion and Analysis, Financial Statements and Notes, an 
Independent Auditors' Report, Major Management Challenges, and other required information. The AFR 
was prepared pursuant to OMB Circular No. A- 136, Financial R eporting Requirements. 
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MEMORANDUM MAY J 3 2008 

From: RDML Keith Taylor Reply to CG-85 

Assistant Commandant for Resources Attn of: CAPT E. G. Faux 
and Chief Financial Officer (202) 372-37 17 

U. S. Coast Guard (USCG) 

To: Anne L. Richards 

Assistant Inspector General for Audits 
Department of Homeland Security (DHS) 



Subj: MANAGEMENT RESPONSE TO DRAFT PERFORMANCE AUDIT REPORT ON 
USCG FY 2008 MISSION ACTION PLANS 

1. Thank you for the opportunity to provide comment on the draft performance audit report 
pertaining to the U. S. Coast Guard's FY 2008 Mission Action Plans (MAPs), While in general 
the Coast Guard concurs with the findings and recommendations contained in the report, it 
important to note that these MAPs were prepared using the following Steps provided in DHS 
guidance: identify control deficiencies, conduct root cause analysis, identify root cause based 
actions, develop milestones and tasks, and approve the MAP. 

2. To improve the process and expected results the Service has taken several positive steps over 
the past three months to address the issues identified in the audit. With the Coast Guard 
Financial Strategy for Transformation and Audit Readiness (FSTAR) published in March 2007 
as our basis and in alignment with the findings of the audit, the Coast Guard is refining its 
approach for financial audit readiness to better articulate the critical path between our current 
audit remediation efforts and making financial statement assertions. The following steps provide 
the necessary structure and requirements to refine the multi-year audit readiness strategy. 
Specifically, the approach identifies the Coast Guard's need to: 

a. map financial statement captions, line item balances, assertions, and footnote disclosures 
to key business processes and to the financial and mixed systems through which the 
transactions flow; 



b. identify assessable units and known weaknesses and gaps in data quality and process 
documentation; 

c. conduct a risk assessment of each assessable unit based on quantitative and qualitative 
factors, including significance of interdependencies within the MAPs, to determine the 
priorities for executing remediation and building assertions; 

d. summarize the current state of the internal control documentation, weaknesses, and 
account balance information; the status of the design and implementation of process controls; 
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the accuracy and validity of beginning balances; and the verification and validation 
completion; 

e. identify entity level controls, resource needs and preliminary timelines, as well as refine 
strategies, revise MAPs, and revise/develop detailed project plans; and 

f. revise the FSTAR as appropriate to reflect revised project management structure and 
revised management control program guidance. 

3. The Vice Commandant of the Coast Guard chartered the Audit Readiness Planning Team 
(ARPT) to implement this next phase in our on-going efforts. Consisting of Coast Guard, DHS, 
and contract accounting and resource management professionals, the ARPT will develop the 
revised multi-year entity-wide strategy to achieve financial statement audit readiness. The 
ARPT is scheduled to conclude its effort by the end of August 2008. 

4. Coincidental to the performance audit, the Coast Guard implemented the revised FSTAR 
Standard Operating Procedures (SOP). The revised SOP describes the enhanced management 
structure and the roles and responsibilities of MAP development and monitoring required of 
process owners critical to audit remediation efforts, including the verification and validation 
steps required to support identification and closure of control gaps. 

5. The Coast Guard continues to invest extensive effort in audit remediation. The above actions 
clearly address the report's recommendations and will help to strengthen ongoing Coast Guard 
audit remediation practices. If you have any questions concerning this response please contact 
me, or your staff may contact CAPT Ekundayo Faux, Chief, Office of Financial Transformation 
and Compliance, at 202-372-3717. 

" # 
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Additional Information and Copies 

To obtain additional copies of this report, call the Office of Inspector General 
(OIG) at (202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web 
site at www.dhs.gov/oig. 



OIG Hotline 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of 
criminal or noncriminal misconduct relative to department programs or 
operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, Attention: 

Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410, 

Washington, DC 20528. 

The OIG seeks to protect the identity of each writer and caller. 




